Security

(public)

User Story

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4
Whenever attempting to display a feed-post from a blog which uses the followers gadget from google friend connect the default webbrowser pops up and opens the given error url in a new tab. Not tested on other google friend connect gadgets, but will PROBABLY be reproducable on any other google friend gadget.
Reproducible: Always
Steps to Reproduce:
1. add a rss feed using the google friend connect "followers" widget to the mozilla rss reader (e.g. http://diaryofagraphicsprogrammer.blogspot.com/feeds/posts/default <-- NOT MY BLOG, NOT POSTED FOR ADVERTISING PURPOSES)
2. Click on a post
Actual Results:
Default browser pops up displaying the following url in a new tab:
http://ps.friendconnect.gmodules.com/ps/ifr
The post clicked on however is displayed by thunderbird. Only the google friend connect gadget is deactivated.
Expected Results:
No browser popping up and displaying some error page? o.O
Disabling these gadgets would be the fastest solutions, nobody needs them in a rss feed anyway.

(In reply to comment #3)
> doubt we'd block on this, unless there are content policy issues here.
> Standard8?
I think this is more a case of popup blocking than content policy - I suspect there's some js (which is allowed in feeds) or something calling an appropriate function (e.g. window.open) and we're just then handing it off to the browser.
Digging into what Firefox do for popup blocking may lead to a solution here.

We're resetting the blocking flag for 3.1 on this bug and instead setting the wanted-thunderbird+ flag. We have too many blocking-3.1 bugs, to the point where it doesn't mean much, and managing the list is making it hard to actually work on closing bugs, which helps no one.
Thunderbird 3.1's primary purpose is to allow us to offer a prompted major update to Thunderbird 2 users, to ensure their continued ability to safely use Thunderbird. Thunderbird 2 is built on an outdated version of Gecko, and our long-term ability to maintain the users' safety for Thunderbird 2 users is limited.
If you think this bug meets the requirements below, please renominate with a detailed explanation of how it meets the following two criteria, and we will reconsider. To qualify, this bug must either:
a) make the upgrade experience from TB2 very painful for a large number of users
or
b) be a new, reproducible, severe quality issue (eg dataloss, frequent crashes)
Just because this bug doesn't block TB3.1 doesn't mean it can't or won't make the release. Once they're done with their blockers (if any), we encourage developers to keep working on non-blocking bugs, and to try to land them as early in the cycle as possible, as non-blocking bugs will become increasingly difficult to land in the later stages of the cycle.

Funnily enough I was just thinking the same thing as I closed down the 10 tabs that had been opened in Firefox after catching up with a few blogs. Not only is the problem annoying, it's clearly a data leak too and one that could presumably be used to track certain eleemnts via a different browser profile, with different cookies etc. I'm quite surprised that it's not been fixed yet :(

This is quite annoying. I think it's not related to blocked popups, as firefox doesn't show any popups to be blocked.
A test case is Linus' blog http://torvalds-family.blogspot.com/feeds/posts/default - use show as web page.
Loading it in a 3pane content tab doesn't show the problem... this works:
Components.classes['@mozilla.org/appshell/window-mediator;1'].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow("mail:3pane").document.getElementById("tabmail").openTab("contentTab", {contentPage: "http://torvalds-family.blogspot.fi/2009/05/more-reading.html"});

(I think) I've cured - well blocked - this, on The Verge RSS feed currently using AdBlockPlus to block the element containing the add-to Twit/Face/etc buttons.
theverge.com##.social-media-column.clearfix.instapaper_ignore.entry-unrelated
I'm currently testing on other RSS feeds

this is actually not strictly due to a popup open, as per comment 15. it is a redirect to a different url. script trying to open a popup window could lead to the same effect though, an attempt to open the url in the default browser.

Status: RESOLVED → REOPENED

Resolution: DUPLICATE → ---

Summary: Displaying a Blog feed that uses a Google friend connect followers gadget yields in browser opening an error page. → Displaying a feed message (web page mode) that uses script to redirect a different url results in passing the url to the default browser.

I've read the Mozilla Bug reports and while everybody talks about it, NOTHING is being done about it.
I canned one newsfeed because of it, and 3 weeks after going to some other feed, it's started up again.
This is a ONE pixel .GIF image that I, for the life of me, cannot see as being useful. What purpose would it serve to open my browser just to display 1 pixel?????? Couple that with it being on an HTTPS link. Why?????
This should be a relatively easy fix.... Just BLOCK IT from going out from TBird.
SOMEBODY PLEASE DO SOMETHING.

Yeah, some helpful soul in thunderbird.support suggested an ad blocker. I settled on uBlock Origin, even though the author does not want to support Thunderbird (he is very busy supporting browsers) someone else did some work on the AddOn and it kinda works in TB. This bug has been reported here 6 times so far, that means lots of people are affected (very few will open a bug).